Questions for Spamhaus: Update
By Ken Magill
I think we may have drowned Steve Linford.
Two weeks ago, the chief executive of anti-spam outfit Spamhaus agreed to take questions from Magill Report readers.
I put out a call for questions and the responses came in. Boy, did they come in.
Fifty one of them to be exact. Linford has assured me he’s working on them. We should be hearing from him soon.
For those who are curious, here is a complete list of the questions submitted:
[Editor's note: It is up to Linford to decide which questions he wants to answer. Given the volume, don't be surprised if not all of them are addressed.]
1. How can Spamhaus work directly with legitimate marketers when issues arise? Wouldn’t it best serve customers and the overall email industry to resolve issues in good faith (as opposed to staying at arms’ length)?
2. As more retailers offer to “email your receipt” in stores, the problem of miss-typed email addresses is likely to increase, and hitting Spamhaus traps will be more prevalent. Is there some way for Spamhaus to “ignore” emails that it gets from retailers when they see a capture event type (like a receipt)? Could they eventually focus instead on ensuring that marketers have good list hygiene by ensuring that the email is no longer mailed 12 months after not activating? Or what would they recommend?
3. How is Spamhaus working with legitimate marketers to improve list hygiene? Do they have a list of ‘best practices’ that they’d ideally like brands to follow that are business friendly (getting that customer email address) as well as good for business (legitimate email address)?
4. Does Spamhaus use email addresses that were used to subscribe to mailing lists and then discarded? Do old Yahoo, Gmail addresses become spam traps? How old? Also are they being tracked by Spamhaus?
5. Are Spamhaus listings [ever] based on complaints sent to them?
6. If hitting spamtraps is the only criterion what is the threshold?
7. How is Spamhaus certifying an ESP? What is the criteria? [Steve, I have no idea what this refers to. I considered deleting it, but included it thinking you might know what he’s asking.]
8. When Spamhaus created their whitelist they chose not to permit “marketing of any sort” or permit any company applying who used an ESP. Because Spamhaus is in a uniquely privileged position with their whitelist, they could have helped the email industry with a new standard of trust. Why did they choose not to do this?
9. Does Spamhaus believe that email should be delivered to consumers who have opted-in to email marketing from brands? [I know the short answer is yes, but left this one in in case you want to elaborate.]
10. How can professional email marketers who wish to get opt-in emails delivered work with Spamhaus and other important providers of spam detection to help ensure spam is not delivered and other communications are? [Here again, I know the short answer is stop spamming, but I left it in anyway.]
11. What is their goal with CSS and do they feel their achieving it? Are they catching the “bad guys” so to speak or could it be acknowledged that ‘babies are being thrown out with the bathwater’? [This one’s from a reader who says they’re doing everything right and yet got caught in you anti-show-shoe spamming efforts somehow.]
12. What trips a CSS listing – spamtraps?
13. How real-time are the [SBL] listings? In other words, if you sent something a week ago, could that cause you a listing now, or does it happen from the most recent mail only?
14. It's clear from Spamhaus 'recent SBL listings' tracking list that the vast majority of SBLs are related to criminal behavior, most of which involves truly nefarious and malicious activity. It's also clear from most of Spamhaus ISP 'users' that they no longer deliver most 'spam' or even 'bacn' to the Inbox and their filters are highly customized to identify unwanted messaging from dedicated IP address senders. So why does Spamhaus continue to believe that their resources should be spent blocking legitimate commercial email where there is clearly a larger need to maintain focus on the criminal actors, as well as the diminishing needs by their 'users' to block legitimate (ie; dedicated and transparent) commercial emailers?
15. Background: Working for an ESP, we sometimes get reports that a client has hit a spamtrap owned by Spamhaus. After we vet the account, obtain list origins and determined it's an account we can help resolve the issue and not a bad actor that got through our self-service filters, we need to understand the best way to proceed. We 100 percent understand the purpose of spamtraps and make sure it is a client we trust doing everything else correctly and maybe just have an old address or a typo mixed in within their list.
16. Can you confirm that spamtraps do not open, click or otherwise show engagement? In other words, if a client does have a spamtrap within their list, would removing or double opting in inactive subscribers help eliminate the trouble address?
17. Does Spamhaus report traps hit immediately? For example, if a long standing client is reported for hitting traps, is it safe to say it was from a recent upload or signups?
18. Besides typo, harvested, purchased, and recycled spamtraps, is there any other way a trap would appear in a client's list?
19. What if someone manages to identify a spam trap's identity and enroll it on a competitor's mailing list? How lenient is Spamhaus to these issues knowing they exist?
20. Currently, we understand that typo-traps are being monitored by Spamhaus, but that they are mainly being used to advise marketers on the risks of mailing non-confirmed opt-in. Are there any plans over the next year to increase the blocking frequency and severity on marketers mailing to typo-trap addresses and domains?
21. How many different types of spam-traps does Spamhaus monitor, and are some traps more dangerous than others?
22. If a marketer is mailing to a purchased list of all actively engaged recipients (opening and clicking their emails regularly), do they still run the risk of hitting spam traps?
23. Can you confirm that Spamhaus has a lower tolerance for newly allocated domains and IPs?
24. Based on a sender's business model, reaching out to their customers every 2, 3, or even 4 years may be necessary or applicable business practice. (example: purchasing a new car, TV, kitchen appliance). If this is necessary business practice, how can a sender do this safely without risking hitting too many traps?
25. What qualifies a domain for listing on the DBL? How is this different from listing the sending IPs instead on the SBL or CSS lists.
26. What business hours do Spamhaus employees work? Or, what is the best time to reach out to Spamhaus?
27. Will Spamhaus ever engage in a phone-call with Marketers? [When asked for clarification, he said he means one-on-one calls with marketers who have gotten in trouble, or, say, a monthly conference call. I think the short answer is no for practicality and safety reasons, but maybe you can elaborate.]
28. What information must be collected in order to provide evidence that a subscriber opted in to receive a commercial email?
29. If an ESP sends mail for multiple clients on a shared range of IP addresses and uses a shared sending domain, what is the best way to work with Spamhaus to resolve a block listing issue for an offending client while maintaining service for the rest of the clients on the range?
30. If an ESP sends mail for multiple clients on a shared range of IP addresses and the sending domain for each is a separate sub-domain, what is the best way to work with Spamhaus to resolve an issue for an offending client while maintaining service for the rest of them?
31. Is there any risk to having multiple, separate sub-domains of a single parent domain, each sending mail for different clients or are the domains treated entirely separately? (ex: branda.maindomain.com, brandb.maindomain.com, brandc.maindomain.com)
32. Do they open/render images on emails they receive? If so, how would they expect a marketer to distinguish that from ‘real’ engagement?
33. Ditto for clicks. Do they follow any of the links in the emails they receive?
34. Are blacklistings all done by humans or are some automatically triggered by the receipt of *any* emails to an address? In other words, does the *content* or *purpose* of the message matter at all, or is it simply the fact an email was received? And if it is reviewed, are there formalized criteria for this evaluation?
35. Do they collaborate with other blacklist providers? E.g. is it possible to get listed (or a listing escalated) within Spamhaus because of ‘hits’ elsewhere or visa-versa?
36. Are decisions to blacklist made by any of the ‘volunteers’? is there a QC or review process internally?
37. Given that Spamhaus participants are all volunteers, how do they enforce consistent review and blacklisting behavior?
38. Why do they sometimes just list the offending IPs, but other times appear to name and attack specific marketing brands?
39. What do they say to claims they are unfairly targeting legitimate marketers?
40. What’s their opinion of list rental or other one-time *opt-in* offers to an email address?
41. Typos & errors happen. What thresholds is Spamhaus using to avoid accidental listings and/or what can marketers do to avoid?
42. Could they imagine cooperating with the DMA and if so, what would that look like?
43. What can hosting networks do to get off Spamhaus?
44. I run abuse for a hosting provider in the US. We've had our share of SBL and XBL listings, and have responded by tuning in to feedback loops and aggressively removing customers who trigger listings and complaints. We also thoroughly vet new customers using a credit card fraud service as well as telephone verification, captchas, and other techniques.
With all this being said, the problem is that mail still flows out of our customers' servers (which we don't control, because they are dedicated and VPS servers). How can we block the spam proactively? Is there a way that Spamhaus could send us feedback data other than a blacklisting? Can anyone else help with this?
45. How has your business, mission, and the industry of blacklists changed over time? We first started working with Spamhaus in year 2000 and found that Spamhaus only listed networks that were known for sending majority spam, with very little legitimate email being blocked. As the years have gone by, it seems that Spamhaus is taking a more aggressive approach by listing some networks that send all opt-in email and their only flaws are typos and being single opt-in. Is our perception off? Where does Spamhaus see the future and how might that change over time?
46. Spamhaus has always been clear on recommending Confirmed-Opt-In email address collection. I am sure you know most legitimate mailers, including large corporations use single opt in. Is it part of Spamhaus’s mission or intention to blacklist list all companies that do not use confirmed-opt-in? How does Spamhaus determine which companies to list and which ones to not list? Many fortune 500 companies do not use confirmed-opt-in and most are not listed by Spamhaus. Does Spamhaus fear they could lose credibility by listing companies like GAP and other who play by most of the right rules with only typos and single opt-in being the only tarnish on their record?
47. Most consumers are not used to getting confirmation messages when they sign up for an email list. Unless consumers receive the confirmation right away, they are afraid to click on emails they don’t recognize for fear or phishing, viruses, and so forth. Even those that do receive the confirmation right away could be weary. I believe this is one of the reasons that legitimate companies do not use confirmation messages. How does Spamhaus suggest companies handle this? Before it becomes commonplace, there needs to be a tipping point to get consumers used to seeing and acting on confirmation messages. When does Spamhaus see this tipping point happening? In the past 13 years, I have not seen the majority of the marketplace adopt confirm opt-in.
48. Lastly, we ask that Spamhaus be more clear when describing each section and also when responding to some of their listings. Spamhaus SBL in our experience is very responsive and easy to work with. Our concern is with the CBL (Composite Blocking List). The CBL web page says they only list IPs with spambot or virus like activity. It does not clearly explain that the CBL also operates spamtrap that can list legitimate mail servers IP. We once were listed for two weeks while we researched what could have been causing the issue (looking for misconfigurations, virus like activity, etc.) only to learn that the CBL administrators were upset and listed some of our IPs because they received one of our emails to their spamtrap. CBL administrators were not clear about this when we reached out to them as to what the problem was. They replied with terse replies like “This needs to stop”, but not explaining what needs to stop (was it a header problem, a spam problem, etc.). Please have the CBL administrators be more clear on if listings are caused by virus/bot like activity or if they were spammed. I am sure you know that a spamhaus listing is devastating to a marketer and yes, 60% of email bounces when blocked by spamhaus.
49. What is the risk of a single “typo” email record? If the record is mailed once, but not ever again, is that enough to get listed? Is it true that a sender will get a warning first, and then if non active records are mailed again, that is when the block is placed? (If a person submits their email address, how can a marketer know if it’s good if we don’t mail it at least once?)
50. Do Spamhaus volunteers take “complaints” from other people, or are they only identifying “bad actors” based on personal receipt of a message?
51. How many volunteer complaints are required to flag a sender? (One? Ten?) Is this tracked at the individual level or just total? For example, one volunteer who complains five times counts as one or five?